Skip to main content
Jim_FH
Jim_FH
New Member
March 14, 2017
Question

Forticlient RADIUS server authentication - user groups

  • March 14, 2017
  • 1 reply
  • 19746 views

Kind of a strange question:

I have two RADIUS servers, and two different user groups defined - one per RADIUS server.

 

I'm wondering if there's a way to prioritize authenticating against one RADIUS server over the other.

 

So, we have a user connect via Forticlient, and authenticate against RADIUS Server1, which puts him/her in Group1. If Server1 is down, then it would authenticate against the Server2 and put the user in a differnt group.

 

I thought I could achieve the desired result via the policies - put the user group from Server1 in a policy above a policy that refers to the user group from Server2, but it seems like authentication is happening round-robin across the RADIUS servers, so it's impossible to predict which server will authenticate.

 

Any ideas how to prefer one over the other?

    1 reply

    emnoc
    emnoc
    New Member
    March 14, 2017

    What's listed in the  user_group is the order IIRC,  but outside of placing the two nodes behind VIP , and priority weight-lb or "sloppy"  . I do not see how you can prioritize if your looking for SERVER1 and then SERVER2 & only if  #1 is not available.

     

    Qs:

     

    Why do you want two different groups tho? Are you looking for a failover or load-share/balance on the two RADIUS-SERVERS?

     

     

    FWIW: check out this  new post on my blog with using RADIUS-aaS and the example of a failover approach with FGT. I  did this in the pass and even with a a group of "group-of-servers"

     

    http://socpuppet.blogspot.com/2017/03/using-jump-cloud-radius-for-fortimail.html

     

     

    We 've use a INSIDE VIP  &  mapped to  2 or more  RADIUS servers(nodes). Under your config real server, you will have to set  weight if you wanted to nail  all connections to a server x.x.x.x over y.y.y.y.

     

     

    e.g 

     

     

     

    VIP

     

    set ldb-method weighted

     

     

    realserver

     

    NODE_A

    set weight 1000

     

    NODE_B

    set weight 0

     

    Ken

     

     

     

     

     

    Jim_FH
    Jim_FHAuthor
    New Member
    March 14, 2017

    Hi Ken:

     

    Interesting about the VIPs.  

     

    I guess I don't need two groups, here's what I'm trying to get:

     

    RADIUS server1 is a MS MFA server that relays RADIUS requests to a MS NPS server.  This works great, I can authenticate and define different Fortigate user groups based on AD groups using the Fortinet specific RADIUS attribute.  So if it's up and working, I want users to authenticate to RADIUS server1.

     

    However, if it's down, I want users to fail to the 2nd RADIUS server, which is just a MS NPS server with NO MFA.  

     

    Essentially, I would like the Forticlient users to authenticate via MFA if possible, but if the server is having issues to "fail open" by then authenticating against a non-MFA RADIUS box.

     

    thanks,

    Jim

     

     

     

     

     

    emnoc
    emnoc
    New Member
    March 15, 2017

    Can you  place the 2x RADIUS behind a SLB and  weight all radius request and act to server1. If server#1 goes down ( fails health checks ) , authenticate via  server#2.?

     

    ideal you should try to get MFA for both servers.

     

    Terms & ConditionsAccessibility statement